In this tutorial, you learn how to send messages to an Amazon SQS queue over a secure,
private
network. This network consists of a VPC that contains an Amazon EC2 instance.
The
instance connects to Amazon SQS through an interface VPC
endpoint, allowing you to connect to the Amazon EC2 instance and send
messages to the Amazon SQS queue even though the network is disconnected from
the public
internet. For more information, see Amazon Virtual Private Cloud Endpoints for Amazon SQS.

Important

When you configure Amazon SQS to send messages from Amazon VPC, make sure that you
enable private DNS and use only endpoints in the format
sqs.us-east-2.amazonaws.com.

Private DNS doesn't support legacy endpoints such as
queue.amazonaws.com or
us-east-2.queue.amazonaws.com.

Save this file in a safe place. EC2 does not generate a
.pem file for the same key pair a second time.

To allow an SSH client to connect to your EC2 instance, set the permissions for your
private key file so that only your user can have read permissions for
it, for example:

chmod 400 SQS-VPCE-Tutorial-KeyPair.pem

Step 2: Create AWS Resources

To set up the necessary infrastructure, you must use an AWS CloudFormation template, which is a blueprint for creating a
stack comprised of AWS resources, such as Amazon EC2
instances and Amazon SQS queues.

The stack for this tutorial includes the following resources:

A VPC and the associated networking resources, including a subnet, a security group,
an
internet gateway, and a route table

On the Select Template page, choose Upload a template to
Amazon S3, select the
SQS-VPCE-SQS-Tutorial-CloudFormation.yaml file, and
then choose Next.

On the Specify Details page, do the
following:

For Stack name, enter
SQS-VPCE-Tutorial-Stack.

For KeyName, choose
SQS-VPCE-Tutorial-Key-Pair.

Choose Next.

On the Options page, choose
Next.

On the Review page, in the Capabilities
section, choose I acknowledge that AWS
CloudFormation might create IAM resources with custom
names., and then choose
Create.

AWS CloudFormation begins to create the stack and displays the
CREATE_IN_PROGRESS status. When the process is
complete, AWS CloudFormation displays the CREATE_COMPLETE status.

Step 3:
Confirm That Your EC2 Instance Isn't Publicly Accessible

Your AWS CloudFormation template launches an EC2 instance named
SQS-VPCE-Tutorial-EC2-Instance into your VPC. This EC2 instance
doesn't allow outbound traffic and isn't able to send messages to Amazon SQS.
To
verify this, you must connect to the instance, try to connect to a public
endpoint, and then try to message Amazon SQS.

Later, when you create a VPC endpoint for Amazon SQS, your sending
attempt will succeed.

Step 4: Create an Amazon VPC Endpoint
for Amazon SQS

To connect your VPC to Amazon SQS, you must define an interface VPC endpoint. After
you add the
endpoint, you can use the Amazon SQS API from the EC2 instance in your VPC. This
allows you to send messages to a queue within the AWS network without crossing
the public internet.

Note

The EC2 instance still doesn't have access to other AWS services and endpoints on
the
internet.